Re: Prevent stealing IP numbers
From: Alexander Clouter (alex_at_digriz.junk-this.org.uk)
Date: Sun, 29 Feb 2004 21:06:48 +0000
On 2004-02-27, Sensei <firstname.lastname@example.org> wrote:
> We're looking for a solution for preventing ip stealing. Students in our
> department usually connect their laptops and use one ip number... you
> can just imagine the conflicts we have...
> Is there a way of using some sort of authentication? I mean, we'll use a
> kerberos server, so we have a strong authentication server. Is this a
> good way? And how to use kerberos in such a way so that students must
> authenticate and gain tickets to use the network?
a good idea would be maybe to start playing with IPSec (and maybe with L2TP)
and a certificate deployment environment.
Students will be able to obtain DHCP leases however you configure the default
gateway machine to expect IPSec'ed traffic to be routed. Although the
students might want to keep with the same IP address, this will be short
lived as they find they will be unable to do anything. If they then need a
real IP address too, use L2TP to tunnel it to them.
Traffic could only be IPSec'ed if the student has placed a certificate on
their laptop, which of course has a unique ID and all, so you can actually
track down if students are being stupid and duplicating trackable
Although a little overkill you might think, this would let you dispose of any
insecure wireless gateways you also have using WEP; you would be able to us
your Certificate IPSec infrastruction.